diff --git a/_service b/_service
index 36f9b43..9f97e6a 100644
--- a/_service
+++ b/_service
@@ -4,11 +4,11 @@
git
disable
.git
- v16.4.6
- @PARENT_TAG@
- disable
- v(.*)
+ v16.4.7
v*
+ @PARENT_TAG@
+ v(.*)
+ disable
https://github.com/gravitational/webassets
diff --git a/teleport-16.4.6.obscpio b/teleport-16.4.6.obscpio
deleted file mode 100644
index 1c87d45..0000000
--- a/teleport-16.4.6.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d04f6e750e15fc695b13560b589b3662409c3d57d6413caf682920e6c25f5f31
-size 280200206
diff --git a/teleport-16.4.7.obscpio b/teleport-16.4.7.obscpio
new file mode 100644
index 0000000..720c54e
--- /dev/null
+++ b/teleport-16.4.7.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:611284ef1cfaf5f8184f3585fb94b8022e2f95600fc3b06e7a81e1bf08c55b43
+size 279968782
diff --git a/teleport.changes b/teleport.changes
index 30eb590..79b833c 100644
--- a/teleport.changes
+++ b/teleport.changes
@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Tue Nov 12 06:42:07 UTC 2024 - Johannes Kastl
+
+- update to 16.4.7:
+ * Fixed bug in Kubernetes session recordings where both root and
+ leaf cluster recorded the same Kubernetes session. Recordings
+ of leaf resources are only available in leaf clusters. #48738
+ * Machine ID can now be forced to use the explicitly configured
+ proxy address using the TBOT_USE_PROXY_ADDR environment
+ variable. This should better support split proxy address
+ operation. #48675
+ * Fixed undefined error in open source version when clicking on
+ Add Application tile in the Enroll Resources page in the Web
+ UI. #48616
+ * Updated Go to 1.22.9. #48581
+ * The teleport-cluster Helm chart now uses the configured
+ serviceAccount.name from chart values for its pre-deploy
+ configuration check Jobs. #48579
+ * Fixed a bug that prevented the Teleport UI from properly
+ displaying Plugin Audit log details. #48462
+ * Fixed an issue preventing migration of unmanaged users to
+ Teleport host users when including teleport-keep in a role's
+ host_groups. #48455
+ * Fixed showing the list of access requests in Teleport Connect
+ when a leaf cluster is selected in the cluster selector. #48441
+ * Added Connect support for selecting Kubernetes namespaces
+ during access requests. #48413
+ * Fixed a rare "internal error" on older U2F authenticators when
+ using tsh. #48402
+ * Fixed tsh play not skipping idle time when --skip-idle-time was
+ provided. #48397
+ * Added a warning to tctl edit about dynamic edits to statically
+ configured resources. #48392
+ * Define a new role.allow.request field called
+ kubernetes_resources that allows admins to define what kinds of
+ Kubernetes resources a requester can make. #48387
+ * Fixed a Teleport Kubernetes Operator bug that happened for
+ OIDCConnector resources with non-nil max_age. #48376
+ * Updated host user creation to prevent local password expiration
+ policies from affecting Teleport managed users. #48163
+ * Added support for Entra ID directory synchronization for
+ clusters without public internet access. #48089
+ * Fixed "Missing Region" error for teleport bootstrap commands.
+ #47995
+ * Fixed a bug that prevented selecting security groups during the
+ Aurora database enrollment wizard in the web UI. #47975
+ * During the Set Up Access of the Enroll New Resource flows, Okta
+ users will be asked to change the role instead of entering the
+ principals and getting an error afterwards. #47957
+ * Fixed teleport_connected_resource metric overshooting after
+ keepalive errors. #47949
+ * Fixed an issue preventing connections with users whose
+ configured home directories were inaccessible. #47916
+ * Added a resolve command to tsh that may be used as the target
+ for a Match exec condition in an SSH config. #47868
+ * Respect HTTP_PROXY environment variables for Access Request
+ integrations. #47738
+ * Updated tsh ssh to support the -- delimiter similar to openssh.
+ It is now possible to execute a command via tsh ssh user@host
+ -- echo test or tsh ssh -- host uptime. #47493
+
-------------------------------------------------------------------
Wed Oct 23 19:59:26 UTC 2024 - Johannes Kastl
diff --git a/teleport.obsinfo b/teleport.obsinfo
index 782f249..b5927f7 100644
--- a/teleport.obsinfo
+++ b/teleport.obsinfo
@@ -1,4 +1,4 @@
name: teleport
-version: 16.4.6
-mtime: 1729696164
-commit: 3104d1ac1ceac0d0405f6a675110f258a67dbb2a
+version: 16.4.7
+mtime: 1731375738
+commit: 15dfef10fe2175e458e54e81e94dcae0b5f59757
diff --git a/teleport.spec b/teleport.spec
index c384ea0..d783f51 100644
--- a/teleport.spec
+++ b/teleport.spec
@@ -16,10 +16,8 @@
#
-%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
-
Name: teleport
-Version: 16.4.6
+Version: 16.4.7
Release: 0
Summary: Identity-aware, multi-protocol access proxy
License: AGPL-3.0-only
@@ -36,15 +34,18 @@ Source6: vendor.tar.zst
BuildRequires: cargo >= 1.69
BuildRequires: cargo-packaging
BuildRequires: git-core
-BuildRequires: go1.22 >= 1.22.6
+BuildRequires: go1.22 >= 1.22.9
BuildRequires: pam-devel
BuildRequires: systemd-rpm-macros
Requires: teleport-tctl
%description
-Teleport is the easiest, most secure way to access all your infrastructure. Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols.
+Teleport is the easiest, most secure way to access all your infrastructure.
+Teleport is an identity-aware, multi-protocol access proxy which understands
+SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols.
-On the server-side, Teleport is a single binary which enables convenient secure access to behind-NAT resources such as:
+On the server-side, Teleport is a single binary which enables convenient secure
+access to behind-NAT resources such as:
* SSH nodes - SSH works in browsers too!
* Kubernetes clusters
* PostgreSQL, MongoDB, CockroachDB and MySQL databases
@@ -71,7 +72,10 @@ Summary: CLI tool for Machine ID
License: Apache-2.0
%description -n teleport-tbot
-Machine ID is a service that programmatically issues and renews short-lived certificates to any service account (e.g., a CI/CD server) by retrieving credentials from the Teleport Auth Service. This enables fine-grained role-based access controls and audit.
+Machine ID is a service that programmatically issues and renews short-lived
+certificates to any service account (e.g., a CI/CD server) by retrieving
+credentials from the Teleport Auth Service. This enables fine-grained
+role-based access controls and audit.
tbot is the executable belonging to the Machine ID service.
%package -n teleport-fdpass-teleport
@@ -79,7 +83,9 @@ Summary: Significantly reduce resource consumption by large numbers of SS
License: Apache-2.0
%description -n teleport-fdpass-teleport
-fdpass-teleport can be optionally used by Machine ID to significantly reduce resource consumption in use-cases that create large numbers of SSH connections (e.g. Ansible).
+fdpass-teleport can be optionally used by Machine ID to significantly reduce
+resource consumption in use-cases that create large numbers of SSH connections
+(e.g. Ansible).
%prep
%setup -q
diff --git a/vendor.tar.gz b/vendor.tar.gz
index f308924..f0ecc8c 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:39424da30baf398391dc12e436f37d83947ace81a023f6e2fc251b4b690770e4
-size 46776161
+oid sha256:c77a1db3984a74b6c2a7f4c7e6fa3f9f475e1ad49bc8d1123d2d149e5e63939d
+size 46781164
diff --git a/vendor.tar.zst b/vendor.tar.zst
index e297552..2780074 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:4ab85d230031a7ff69ff4ffb80efe1e6e3048a17543cd75004004833cc976b97
-size 729773
+oid sha256:76257b2718534c1704e89d1f423d6c384c810517a913abbc26d3a98fbcec5c5b
+size 728970